en-US
search-icon

Hosted Email Security 9.0 Admin Guide

Anti-Virus

SonicWall Hosted Email Security’s Anti-Virus feature protects your organization from inbound email-borne viruses and prevent your employees from sending viruses with outbound email. The Anti Virus feature uses virus-detection engines to scan email messages and attachments for viruses, Trojan horses, worms, and other types of malicious content. Once SonicWall Hosted Email Security has identified the email message or attachment that contains a virus or is likely to contain a virus, you can determine how to manage the email message. The virus-detection engines receive periodic updates to keep them current with the latest definitions of viruses.

When any one of the virus-detection engines is activated, you also get the benefit of SonicWall Hosted Email Security’s Time Zero Virus Technology. This technology uses heuristic statistical methodology and virus outbreak responsive techniques to determine the probability that a message contains a virus. If the probability meets certain levels, the message is categorized as Likely Virus. This technology complements virus-detection engines and enabling this technology provides the greatest protection for time zero viruses, the first hours that a virus is released, when major anti-virus companies have not yet modified their virus definitions to catch it.

This chapter provides configuration information specific to the Anti-Virus feature. Topics include:

Inbound Anti-Virus Protection

Anti-Virus protection can be configured on the inbound and outbound paths. You are able to define separate actions for Definite Viruses and Likely Viruses.

To configure Anti-Virus protection on the inbound path:
1
Navigate to the Anti-Virus page and select Inbound.
 
* 
NOTE: If you have licensed more than one virus-detection engines, they all work in tandem.

2
Choose one of the responses listed in the table below to define the action to take when a Definite Virus is identified.
 

Actions to take for Definite Viruses and Likely Viruses for Inbound

Response

Effect

No Action

No action is taken for messages.

Permanently Delete

The email message is permanently deleted.

CAUTION: If you select this option, your organization risks losing wanted email. Deleted email cannot be retrieved.

Reject with SMTP error code 550

The message is rejected and responds with a 550 error code, which indicates the user’s mailbox was unavailable (for example, not found or rejected for policy reasons).

Store in Junk Box
(default setting)

The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting.

Send To

Forward the email message for review to the specified email address. For example, you could “Send To [postmaster].”

Tag With

The email is tagged with a term in the subject line, for example [VIRUS]. Selecting this option allows the user to have control of the email and can junk it if it is unwanted.

Add X-Header

This option adds an X-Header to the email with the key and value specified to the email message. The first text field defines the X-Header. The second text field is the value of the X-Header.

For example, a header of type “X-EMSJudgedThisEmail” with value “Virus” results in the email header as:
“X-EMSJudgedThisEmail:Virus”

3
Choose one of the responses from the table to define an action to take when a Likely Virus is identified. Change the text fields, if needed, to define the response appropriately.
4
In the Miscellaneous section, select the Allow Users to Unjunk Viruses check box to allow users to view messages with viruses from Junk Box.
 
* 
NOTE: Viruses are removed from messages identified as Definite Viruses, but will deliver attachments intact for messages identified as Likely Viruses.
5
Click Apply Changes.

Outbound Anti-Virus Protection

Use this page to guard your organization's outbound email from malicious viruses and against email that is likely to contain viruses. Topics include:

General Settings

The general settings apply to all users.

To define the Action Settings:
1
Navigate the Anti-Virus page and select the Outbound button.

2
Choose one of the responses in from the table below to define what action to take when a Definite Virus is identified.
 

Actions to take for Definite Viruses and Likely Viruses for Outbound

Response

Effect

No Action

No action is taken for messages.

Permanently Delete

The email message is permanently deleted.

CAUTION: If you select this option, your organization risks losing wanted email. Deleted email cannot be retrieved.

Reject with SMTP error code 550

The message is rejected and responds with a 550 error code, which indicates the user’s mailbox was unavailable (for example, not found or rejected for policy reasons).

Store in Junk Box
(default setting)

The email message is stored in the Junk Box. It can be unjunked by users and administrators with appropriate permissions. This option is the recommended setting.

Send To

Forward the email message for review to the specified email address. For example, you could Send To postmaster.

3
Choose one of the responses from the table to define what action to take when a Likely Virus is identified.
4
Scroll down to the bottom of the page and select Apply Changes.

Zombie Protection Settings

Unauthorized software may be running on a computer within your organization and sending out junk email messages such as: Spam, phishing, virus, or other unauthorized content. This scenario could happen if your organization was subjected to a virus attack called Trojans or a user downloaded something from the web and unauthorized software got installed without user’s knowledge. These unauthorized software programs that send out malicious content are called Zombies or Spyware.

SonicWall’s Email Security Zombie and Spyware Protection technology brings the same high standard of threat protection available on the inbound email path to email messages leaving your organization through the outbound path.

To enable Zombie and Spyware Protection:
1
Navigate to the Anti-Virus page, and click on the Outbound tab.
2
Scroll down to the section called Zombie Protection Settings.
3
Select the check box Enable Zombie and Spyware Protection.
4
Set the conditions under which you send alerts to the administrators in the Monitoring for Zombie and Spyware Activity section. You can check the box to enable one or more of the following parameters:
Email is sent from an address not in LDAP
More than [specify number] messages are identified as possible threats (within the last hour)
More than [specify number] messages are sent by one user (within the last hour)

5
Using the definitions from the following table, set the Actions Settings and Miscellaneous Settings for Zombie Protection.
 
* 
NOTE: These settings can affect the email flow leaving your organization.
 

Settings for Zombie Protection Feature

Action

Description

Action for messages leaving your organization that are identified as spam, phishing attacks, or other threats

Select one of the following settings:

Allow Delivery—Allows the delivery of the message without interference.
Permanently Delete—The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved.
Store in Junk Box—Stores messages with potential threats in the outbound Junk Box.

Action for messages leaving your organization in which the “From” address is not in LDAP

Select one of the following settings:

Allow any “From” address— Allows messages from all email addresses. Note that this is the only option you are able to use if you have not configured LDAP.
Permanently delete—The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved.
Store in Junk Box—Stores messages from unknown senders in the Junk Box.

Activate/Deactivate Outbound Safe Mode preventing any dangerous attachments from leaving your organization

Outbound Safe Mode blocks all emails with potentially dangerous attachments from leaving your organization. When new virus breaks out and one or more of your organization’s computers is affected, the virus can often propagate itself using your outbound email traffic. Outbound Safe Mode also minimizes the possibility of new virus outbreaks spreading through your outbound email traffic. Check the box to enable this feature.

When Outbound Safe Mode is on, take this action for any message with dangerous attachments

If you have enabled Outbound Safe Mode, select one of the following actions when a message with dangerous attachments is received:

Permanently delete—The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved.
Store in Junk Box—Stores messages from unknown senders in the Junk Box.

Automatically turn Outbound Safe Mode on and alert administrators every 60 minutes that Safe Mode is on if

These settings do not take any action other than alerting the administrator of a potential zombie infection.

Select any of the check boxes to send and alert to the administrator if:

Email is sent from an address not in the LDAP (within the last hour)
More than <specify number> messages are identified as possible threats within the last hour
More than <specify number> messages are sent by one user within an hour

Specify senders that will not trigger alerts or actions

Enter email addresses in this text box that you want exempt from Zombie Protection. (This list might include any email addresses that are not in LDAP and email addresses that are expected to send a lot of messages.)

6
Scroll down to the bottom of the page and select Apply Changes.

Flood Protection

The Flood Protection feature supports Zombie Protection by automatically blocking specified users from sending outbound mail when it exceeds the specified Message Threshold.

To enable Flood Protection:
1
Navigate to the Anti-Virus page, and click the Outbound tab.
2
Scroll down to the Flood Protection section. Then, click the Enable Flood Protection check box.

3
Configure the following settings:
Message Threshold—Specify the amount of outbound messages (between 1-10,000) that are sent by a sender. Then, specify the interval (in hours) by selecting a value from the drop down list. The Flood Protection service activates when a sender has exceeded the amount of messages sent within the specified interval of hours.
Alert sender when threshold is crossed—Enable this option to alert the sender that he/she has exceeded the organizational threshold. Note that as a result, outbound emails are now affected.
Action on outbound message from Flood Senders—Select one of the following options to determine what action is taken on outbound messages from flood sender(s):
Permanently delete—The message is permanently deleted. Use this option with caution since deleted email cannot be retrieved.
Store in Junk Box—The message moves to the Junk Box and flagged as ‘likely virus’ with the category name ‘flood_protection.’ The administrator is able to unjunk the message, which is then delivered from the outbound path.
None—No action is taken; messages go through as usual.
Flood Protection Senders Exception List—Found under the Miscellaneous section, specify the list of outbound senders that are exempt from the Flood Protection rule.
Flood Senders List—Users that exceeded the specified Message Threshold values are added to this table by Email Address and the time which the Flood Sender was found exceeding the threshold. To remove a user from the Flood Senders List, select the check box next to the email address(es) you wish to remove, then click the Delete button.
4
When finished configuring the Flood Protection settings, click the Apply Changes button.